I want to use HTTP basic authentication to password protect the status callback endpoint for programmable sms. On the initial request from Twilio, which does not have a Authorization header, I send back a status code of 401 with the WWW-Authenticate header set to "Basic realm='some realm'". However I do not receive a following request from Twilio with Authorization header.
refer: https://www.twilio.com/docs/usage/security#http-authentication
// Send sms with status callback
const details = await client.messages
.create({
body: 'This is the ship that made the Kessel Run in fourteen parsecs?',
from: 'TEST',
to: '......',
statusCallback: `https://user123:pass123#foo.com/status`
})
// Lambda response headers from logs
Method response headers: {WWW-Authenticate=Basic realm='Validate twilio request', Content-Type=application/xml}
Note: The reason as to why basic authentication is needed is to validate the authenticity of the request using the provided username and password. I am not using the X-Twilio-Signature HTTP header as I do not have access to the auth token to validate the request and am using api keys to make requests.
I tested with Ngrok (w/authentication enabled) with Twilio statusCallback basic authentication configured and it works. Try modifying your response headers to see if that changes anything.
Ngrok returns the below response headers:
HTTP/1.1 401 Unauthorized
Content-Length: 20
Content-Type: text/plain
Www-Authenticate: Basic realm="ngrok"
#Alan's answer lead me to investigate further on the headers returned by API Gateway. The 'WWW-Authenticate' headers that the lambda returned had been remapped by API Gateway (learn more here: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-known-issues.html)
The solution was to implement a lambda authorizer to intercept the request and do the necessary authentication i.e check for the Authorization header. The lambda authorizer then allows or denies the request from passing on to the lambda method.
Related
I'm attempting to use the Google Cloud Translate API v3 to perform some translations in Postman.
I've configured my Google app to user an OAuth 2.0 Client ID. I can successfully get an access token using OAuth. But every time I make a request, the response is a 400 Bad Request.
Here are my OAuth 2.0 settings in Postman:
Here are the configured request headers:
And, here is the request body:
Any ideas on why I get a 400 response with this request?
I am trying to register a endpoint for twitter webhook but it returns
{“errors”:[{“code”:32,“message”:“Could not authenticate you.”}]}
I am using twitter sample request to register webhook. Here is my curl request,
curl request to register url
curl --request POST --url "https://api.twitter.com/1.1/account_activity/all/:ENV_NAME/webhooks.json?https%3A%2F%2Fd216d0d30d8f.ngrok.io%2Fapi%2F1.0%2Fwebhooks%2Ftwitter" --header "authorization: OAuth oauth_consumer_key="CONSUMER_KEY", oauth_nonce="EhOhXekPMpf", oauth_signature="GvOx3V91BrfWuBuPKUuftYgRgHY%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1597823037", oauth_token="ACCESS_TOKEN", oauth_version="1.0""
My endpoint is running on https using ngrok tunnel
endpoint running on https using ngrok
I have got all requirements from twitter:
Approved developer account.
Environment setup on Account Activity API.
Valid Consumer Key and Secret.
Valid Access Token and Token Secret.
I have tried request using angular and https mydomain.
//function to register twitter webhook
registerTwitterWebhook() {
// authorization in headers
const headers = new HttpHeaders({
'authorization': 'OAuth oauth_consumer_key="CONSUMER_KEY",oauth_nonce="UAkSZPWDfmM",oauth_signature="%2FWSSbq4R1eTbGF4X9xg1T1e9sY4%3D",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1597728768",oauth_token="ACCESS_TOKEN",oauth_version="1.0"',
'Content-Type': 'application/x-www-form-urlencoded'
})
const url = 'https://api.twitter.com/1.1/account_activity/all/:ENV_NAME/webhooks.json?url="https%3A%2F%mydomain.com%2Fapi%2F1.0%2Fwebhooks%2Ftwitter"';
return this.http.post(url, {}, { headers: headers });
}
On sending POST request it shows error as follows
Error chrome web console
Kindly guide me with the possible solution for registering twitter webhook.
Thank you
The code you’re trying to run from the browser will not work, because Twitter does not support CORS (that’s what the error message is telling you). The curl command needs to use form data for the URL submission per this answer
I'm using the OAuth Authorization Code flow to authenticate the user and authorize my application against the WSO2 Identity Server. I'm using a simple node/express server, with Passport.js, to get the Access Token, and Postman to use that Access Token to make a few test requests to the SOAP APIs.
When using a Bearer Token method to authorize my application, I get the following error in the IS logs: 0 active authenticators registered in the system. The system should have at least 1 active authenticator service registered. I get the following error in Postman: 500 Internal Server Error, with the following response body, <faultstring>Authentication failure</faultstring>.
Here is what it looks like in Postman:
The same Access Token works with a REST API request, like "https://localhost:9443/scim2/Me".
Can anyone tell me what I'm missing here?
SOAP APIs in WSO2 Identity Server cannot be authenticated with Bearer tokens. They can be authenticated with Basic authentication and cookies. That's the reason for getting Authentication failure in the response.
But REST APIs in the Identity Server can be authenticated with Bearer tokens. So /scim2/Me authenticate successfully with access token.
Try to get the Access token manually from Authorize service and use it
Step 1: Get authorization code
https://<is_server_url>:9443/oauth2/authorize?client_id=<id>&redirect_uri=<callback_url>&response_type=code&scope=openid
You will get an authorization code on the callback URL
Step 2: Call token service to get access token
Post https://<is_server_url>:9443/oauth2/token
Content-Type:application/x-www-form-urlencoded
Authorization:Basic <base64encoded "<client_id>:<client_secret>">
grant_type:authorization_code
scope:openid
code:<code_from_step_1>
redirect_uri:<callback_url>
exp:
client_id=**abcdefgh12345678**
client_secret=**xyzsecretkey**
callback_url=**http://locahost/callback**
scope=openid
server: localhost
base64encode(client_id:client_secret)= base64encode(abcdefgh12345678:xyzsecretkey) => YWJjZGVmZ2gxMjM0NTY3ODp4eXpzZWNyZXRrZXk=
GET https://localhost:9443/oauth2/authorize?client_id=**abcdefgh12345678**&redirect_uri=**http://locahost/callback**&response_type=code&scope=openid
it will make a request back to the callback url with a parameter code, lets say code=this01is02your03code, please check your browser address bar
POST https://localhost:9443/oauth2/token
HEADERS
Content-Type:application/x-www-form-urlencoded
Authorization:Basic **YWJjZGVmZ2gxMjM0NTY3ODp4eXpzZWNyZXRrZXk=**
BODY
grant_type:authorization_code
scope:openid
code:this01is02your03code
redirect_uri:http://locahost/callback
this will return an access token, let say token returned by the server is 12345678ASDFGH
Now you could use this token to call any RestFull or SOAP service
Authorization: Bearer 12345678ASDFGH
I'm writing a Go application which has to authenticate using auth0. This is done similar to how Google do it, by creating a HTTP server and setting the callback url to localhost
https://developers.google.com/identity/protocols/OAuth2InstalledApp
Instead of sending the access_token in the HTTP body, it stored the token in the URL which could be cached by the browser/proxy.
http://127.0.0.1:36572/auth0/authenticate/#access_token=eyJ0...truncated...SVYsfTThUhssJSh2C9FSvSGFusdw&expires_in=7200&token_type=Bearer&state=QuSsUxSZkYtFi7QPJkpxB9VI23lO3x4W
How do I configure auth0 to make the callback request to http://127.0.0.1:36572/auth0/authenticate, and store the sensitive tokens in the HTTP response body?
Thanks
EDIT: https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce
I am using Twilio programmable Fax api to send fax messages from my application.
I am not facing any issue while sending faxes when I provide a public url with out any authentication as mediaUrl for sending the fax. But when I pass a url secured with basic authentication as the mediaUrl for the send fax api, the fax sending is getting failed.
"status": "failed",
I have debugged the code on the server on which the mediaUrl accesses, and could find that Twilio is not at all sending a request with "Authorization" header.
As per Twilio documentation,
You may provide a username and password via the following URL format.
https://username:password#www.myserver.com/my_secure_document
Twilio will authenticate to your web server using the provided
username and password and will remain logged in for the duration of
the call. We highly recommend that you use HTTP Authentication in
conjunction with encryption. For more information on Basic and Digest
Authentication, refer to your web server documentation.
If you specify a password-protected URL, Twilio will first send a
request with no Authorization header. After your server responds with
a 401 Unauthorized status code, a WWW-Authenticate header and a realm
in the response, Twilio will make the same request with an
Authorization header
I am giving the mediaUrl in the same format as required by Twilio. But the fax is getting response as failed. Kindly provide your valuable suggestions to help me resolve the issue.
My server is sending the 401 response as given below when Twilio accesses the mediaUrl without Authorization header,
Http response header for 401
Status Code: 401 Unauthorized
Content-Length: 34
Content-Type: application/xml
Date: Wed, 30 Aug 2017 12:38:41 GMT
Server: Apache-Coyote/1.1
WWW-Authenticate: Basic realm="My Realm"
Response body
<message>Invalid credentials</message>
Update
Good news! Media URLs in Twilio Programmable Fax now support basic authentication. This has been implemented and deployed, so this should no longer be an issue.
Original answer
Twilio developer evangelist here.
After some internal investigation I've found out that this is a known issue.
It was in fact raised by your support ticket that you sent in. Good news is that since this is known it will be getting some attention and the team will contact you once it is sorted.
To answer this question differently, I'm just using Signed URLs on Google Cloud, which provide a long token that grants temporary access for a specific file. You can set this to grant access for 10 minutes, which should be more than enough time.
AWS appears to offer a similar solution.